Was the Ashley Madison hack an inside job or strictly done from the outside?
The debate rages in certain circles, with the insider theory buttressed by site CEO Noel Biderman suspecting the attacker was likely someone who at one time had legitimate access to the company’s internal networks.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman told security writer Brian Krebs. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
That seemed to be blunted somewhat last week when Avid Life Media Inc., which owns Ashley Madison and other dating sites, offered a $500,000 reward to anyone who provides information to the police that leads to the identification, arrest and conviction of the person or persons responsible for the theft of its data.
But one security analyst says the distinction is meaningless. “All cybercrime is an inside job, anyway, whether an outsider got in because you weren’t watching and stole stuff, or someone inside stole stuff because you weren’t watching,” says John Kindervag of Forrester Research.
What matters is a large amount of data — perhaps 30 GB of customer data and corporate email — was shipped out of the company without being seen.
“Don’t try to shift the blame or responsibility,” Kindervag says. In a successful attack “it doesn’t matter whether it was an insider. What matters is you were completely blind and you weren’t looking, and you weren’t paying attention.”
At this point, it isn’t clear if Avid Life Media has a marketing or a technology problem — likely both.
Biderman resigned last Friday. A statement from the company said it was by mutual consent. “This change is in the best interest of the company,” the statement said. But it came after a number of news stories suggesting there weren’t a lot of women registered on AshleyMadison.com — Gizmodo initially suggested there were only 12,000 judging by the leaked data, then backed off and said the real number couldn’t be estimated. But, the writer added, there was evidence that Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, “hoping to create the illusion of a vast playland of available women.”
There were also allegations two people had committed suicide after being identified as Ashley Madison members from the data dump.
In reply, Avid Life Media issued a statement saying “recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated … This past week alone, hundreds of thousands of new users signed up for the Ashley Madison platform – including 87,596 women.”
Cynics suggested these women had joined to see if their partners are members.
Whether Avid Life and its sites can survive is a question. To some degree members on these sites assume (hope) for a certain level of privacy — and the company says that it “always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.”
Other companies — retailers and hospitals — have survived data breaches. There’s a difference, though: Credit card companies cover losses due to theft, few will dump a doctor because a hospital made mistakes and many people can be mollified by a sincere apology. And as one person told me, sex sells.
So assuming the company can rebuild its image, what should Avid Life’s CISO do? Start building a zero trust network, advises Kindervag. “Step one would be doing something that gains more (network) visibility and then start rebuilding their network in a way that provides the proper access control, inspection, logging. Plus information shouldn’t be stored in cleartext. Knowing just the names of people who sign up is particularly sensitive, given the fact that a lot of those people are doing something that would be considered immoral
“They need to start a systematic re-think of everything they’re doing … they were probably doing almost everything wrong”